[OpenAFS-devel] Re: OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 26 Jan 2004 17:51:07 -0500


On Monday, January 26, 2004 17:17:46 -0500 Dean Anderson <dean@av8.com> 
wrote:

> On Mon, 26 Jan 2004, Jeffrey Hutzelman wrote:
>
>> Worse, it would not solve the problem.  The trouble here is not that AFS
>> tokens are stored in a kernel data structure instead of a file.  It's
>> that  they are indexed by a value which must be set on login, inherited
>> from each  process by its children, and must not be changeable by the
>> user (to prevent  token stealing).  OpenSSH loses not because you need
>> special code to set  tokens, and not even because you need special code
>> to generate a new PAG --  those things can be done by a PAM module.
>> OpenSSH loses because the PAM  session module gets called outside the
>> inheritance chain of the user's  shell, which means it can't set a PAG
>> or anything else that is inherited  across a fork (e.g. groups,
>> environment variables, resource limits, etc etc  etc).
>
> Right. And there is an easy solution: Turn off Privsep.

Sadly, this doesn't make any difference.  OpenSSH 3.7.1 and later run PAM 
session modules in a subprocess unrelated to the eventual user shell, 
regardless of whether privsep is enabled.  AFAIK, in earlier versions, it 
works fine even with privsep, because while such things may be run in a 
subprocess, they are run in a subprocess that ends up being an ancestor of 
the user shell.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA